Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: prevent cross-org ObjectTags from being created #633

Merged
merged 3 commits into from
Feb 15, 2024
Merged

fix: prevent cross-org ObjectTags from being created #633

merged 3 commits into from
Feb 15, 2024

Conversation

pomegranited
Copy link
Member

@pomegranited pomegranited commented Feb 14, 2024
edited
Loading

Addresses this comment openedx#34146 (comment) about disallowing cross-org tagging and tagging using "no org" taxonomies.

Testing instructions

These changes should be validated by the unit tests.

@pomegranited
fix: prevent cross-org ObjectTags from being created
d81f0b1 
A "cross-org" ObjectTag is when the object_id references an org that is
not in the taxonomy's allowed list of orgs.

Similarly, we forbid creating object tags for a taxonomy with no allowed
orgs listed.

This change adds a rules check for this case, and updates the tests.
@pomegranited pomegranited mentioned this pull request Feb 14, 2024
Merged
yusuf-musleh
yusuf-musleh approved these changes Feb 14, 2024
View reviewed changes
Copy link

@yusuf-musleh yusuf-musleh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Looks good to me @pomegranited ! I just had similar question regarding the assert.

  • I tested this: I checked the updated tests and confirmed they are passing
  • I read through the code
  • I checked for accessibility issues
  • Includes documentation
  • I made sure any change in configuration variables is reflected in the corresponding client's configuration-secure repository.

openedx/core/djangoapps/content_tagging/rules.py
if not is_all_org:
# object_id is valid, else it would have thrown in can_change_object_tag_objectid
context_key = get_context_key_from_key_string(perm_obj.object_id)
assert context_key.org
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similar to the question I had on openedx#34200 (comment) , if we should handle the AssertionError and return False or does the @rules.predicate or elsewhere handle it?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed, I'll handle it and return False.

@pomegranited pomegranited merged commit eac1f26 into jill/tagging-less-queries Feb 15, 2024
43 checks passed
@pomegranited pomegranited deleted the jill/tagging-cross-org branch February 15, 2024 01:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bradenmacdonald bradenmacdonald bradenmacdonald approved these changes

@yusuf-musleh yusuf-musleh yusuf-musleh approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pomegranited @bradenmacdonald @yusuf-musleh